Nathan Crandall @natecray
Product Security @teslamotors California, USA Joined May 2015-
Tweets83
-
Followers211
-
Following125
-
Likes325
Hello World! I'm happy to use my first tweet to announce my talk on over-the-air Bluetooth firmware hacking at BlackHat this summer! blackhat.com/us-20/briefing…
The real Lord of the Flies: what happened when six boys were shipwrecked for 15 months theguardian.com/books/2020/may…
Excited to open up pivots, USB and (more importantly) ethernet attack surface to the competition this year. Will definitely make things more interesting. Hope to see you in Vancouver!
Excited to open up pivots, USB and (more importantly) ethernet attack surface to the competition this year. Will definitely make things more interesting. Hope to see you in Vancouver!
Pwn2Own starts today - we’ve invited the brightest minds in security research to share their findings on Model 3. Happy hunting!
Nice to see @Tesla opened up its #Linux source code. I just wish I had a Tesla :-) See github.com/teslamotors/li… and build system too github.com/teslamotors/bu… via @gregkh
Kafel and nsjail (github.com/google/nsjail) now support SECCOMP_RET_LOG. If you ever find yourself writing seccomp policies, this will make your life a lot better. Thanks @robertswiecki !
@bokmann @stuarthalloway RT if you've written PostScript code by hand.
(Note that I've only been doing android bounty for about a year).
Also, turns out just looking at the monthly patches is a good bang for your buck. This is the 3rd time I've seen an incomplete CVE fix. :)
The disclosure timeline was ~120 days. I have another bug coming up next month that will be closer to a 160 day timeline. Not good.
I discovered CVE-2017-0331 while looking at the patch for CVE-2016-8428. The fix was validating input directly in user space.
I love when kmsg gets corrupted but still readable. Mine turned southern tonight...some mighty fine pagin'! Also, PoC works :)
To be fair though, Google was responsive to my initial report. The huge delay was on NVIDIAs side, not sure what happened (7 months)
Who immediately acknowledged the issues. Thanks PSIRT @nvidia !
Google originally closed my ticket because the integer overflow only affected 32bit platforms. Instead I reported directly to NVIDIA...
CVE-2016-6915, CVE-2016-6916, CVE-2016-6917 reported by me 8 months ago to Google. Just fixed now :(
The Dustin Childs @dustin_childs
2K Followers 341 Following Just a simple information security gnome trying to make his way through the universe. Part-time patch wrangler. Tweets are just my opinion and such.[email protected] @NAKsecurity
886 Followers 823 Following Native Angeleno. Native American. Human. AR/VR/Smart-Devices Security & Privacy @ Reality LabsKF @d0tslash
7K Followers 7K Following My commentary is not affiliated with, neither represents the views, position or attitudes of my employer(s) their clients, or any of their affiliated companies.Alex Plaskett @alexjplaskett
9K Followers 591 Following Security Researcher | Pwn2Own 2018, 2021, 2022, 2024 | Tweets about 0day, OS, mobile and embedded security.@[email protected] @naehrdine
8K Followers 672 Following Malware artist, unicorn creator, wireless hacker. Working at @HPI_DE (ex @seemoolab). Opinions are my own. https://t.co/GbL7GINJBo / @[email protected]Alex Gantman (@agains.. @againsthimself
2K Followers 351 Following Security defense. No wires. Disclaimers: Work at $QCOM. Opinions are mine.Nia Vannatter @VannatterN97983
97 Followers 5K FollowingAva-grace Petronella @gra_petrone
39 Followers 5K FollowingClara Thorburn @ClarThorbu
38 Followers 5K FollowingLacie-mae Salak @mae_salak58306
84 Followers 5K FollowingLilly-mae Roccio @LillyR35173
55 Followers 5K FollowingTawnya Slayman @SlaymanTaw2311
88 Followers 5K FollowingAlex loughlin @LoughlinAl1867
65 Followers 557 Following Australian Actor living and working in California #HawaiiFive-0Kevin2600 @Kevin2600
10K Followers 104 FollowingHi! I'm Lauren Lee @11laurenlee
2 Followers 39 Following Technical Recruiter with Amazon Security. Hiring Senior AI AppSec Engineers - DM for more info! #hiring #securityengineering #infosec #cybersecuritywolololol @hive137
7 Followers 169 Followingpatate @patateQbool
610 Followers 288 FollowingRandy @rj_sec
49 Followers 549 Followingvdehors @vdehors
980 Followers 228 FollowingAdrian Lin @adrianl1n
44 Followers 563 Following Security Researcher, AI-first Thinker, Prompt Wizard, Alumnus @UCL & @SheffieldUniKlaussy Swabby @KlausySwaby
376 Followers 5K FollowingRPW: @[email protected].. @esizkur
8K Followers 932 FollowingAUTOMOBILE DESIGN CR�.. @BabsonTm
146 Followers 2K Following ADC-4Bi , partenariat ou collaboration soyez le bienvenu ,partener or collaboration welcomeFerrous @ironhex
224 Followers 1K Following Cyber Threat Intelligence | Detection Engineering | Open DMhsh sirius @sirius_hsh
18 Followers 640 FollowingIvan at Wallarm / API.. @d0znpp
7K Followers 4K Following SSRF bible author; Bug Hunter (Google/Facebook/Twitter/Yandex/Tesla); Masters in Physics, MSU / quantum magnetism; CEO at @WallarmJosh Cunningham @Josh1C
583 Followers 576 Following Tech | Sports | Renewable Energy | Business | Dad | Social & Membership @teslaownersukTesla Owners UK 🇬�.. @TeslaOwnersUK
22K Followers 278 Following Official Tesla Owners Club Program partner, a non-profit run by Tesla owners for Tesla owners. (https://t.co/aWJLDbh0Gg)Leon Atkinson @hunter_nerdy
102 Followers 746 Following Talent Partner @OpenZeppelin | Hiring Security Researchers | #web3 #InfoSec #blockchainsecurity| Apple Geek | photographer | Girl Dad x2 | Views are my own.Chris Williams @HawaiiFive0day
632 Followers 603 Following President/Principal Security Researcher @TFP0Labs, consultant for @CorelliumHQManoj @mj4x00
34 Followers 200 Following Cloud Security Researcher | Exploit | Malware | Python fanaticJack Maginnes 🏴.. @_stigward
542 Followers 539 Following vuln research and endurance sports | @interruptlabs | @exploitsclubRado RC1 @RabbitPro
5K Followers 662 Following Exploitation, hardware, embedded, reverse engineering, automotive security. Pwn2Own Master of Pwn Flashback team (@FlashbackPwn).Charlie Morrison @CharlieMoJISC
707 Followers 1K Following An award-winning journalist-turned-cybersecurity pro.Relentless1y_Red @Relentless1yRed
12 Followers 788 Following̀̀̀̀̀̀̀̀̀̀�.. @ov3rflow1
2K Followers 5K Following ॐ॒॑॓॔='ەۖۗۘۙۚۛۜ۞ۣ۟۠ۡۢۤ♞98ecf2b˿̴̵̶̷̸̡̢̧̨̛̖̗̘̙̜̝̞̟̠̣̤̥̦̩̪̫̬̭̮̯̰̱̲̳̹̺̻̼͇͈͉͍͎̀́̂̃̄̅̆̇̈̉̊̋̌̍̎̏̐̑̒̓̔̽̾̿̀́͂̓̈́͆͊͋͌̕̚ͅ͏͓͔͕͖͙͚͐͑͒͗͛ͣͤͥͦͧͨͩͪͫͬͭͮ͘͜͟͢͝͞͠͡';alert( ॐ॒॑॓॔);Jackson Tan @jacksonctan
18 Followers 165 FollowingYash Shrivastava @why_for_yash
193 Followers 1K Following Incident Response @amazon | @iitkgp cse'18 | Opinions are mine | Pronouns: he/himKush Bavishi @kush_bavishi
59 Followers 222 Followingsiva koteswararao @sivakotesh_it
30 Followers 212 FollowingScott Bauer | sbauer@.. @ScottyBauer1
3K Followers 443 Following I find 0 days. Android/Linux Kernel/Crap written in C. Will trade 0 days for bottles of DRCkylebot @ky1ebot
5K Followers 315 Following CTF player @Shellphish | PhD Student @ASU | @angrdothorse dev | Author of how2heap | Vulnerability Research Hobbyist | @[email protected][email protected] @NAKsecurity
886 Followers 823 Following Native Angeleno. Native American. Human. AR/VR/Smart-Devices Security & Privacy @ Reality LabsNatalie Silvanovich @natashenka
46K Followers 2K Following Tamagotchi Hacker. Google Project Zero. She/her.KF @d0tslash
7K Followers 7K Following My commentary is not affiliated with, neither represents the views, position or attitudes of my employer(s) their clients, or any of their affiliated companies.grsecurity @grsecurity
9K Followers 1 Following Foundational security for the Linux kernel. Solving the most difficult memory unsafety problems. Created by @opensrcseclcamtuf (@lcamtuf@inf.. @lcamtuf
35K Followers 494 Following Homepage: https://t.co/iFAXZxCO5H Substack: https://t.co/yFvmNisGW3Alex Plaskett @alexjplaskett
9K Followers 591 Following Security Researcher | Pwn2Own 2018, 2021, 2022, 2024 | Tweets about 0day, OS, mobile and embedded security.@[email protected] @naehrdine
8K Followers 672 Following Malware artist, unicorn creator, wireless hacker. Working at @HPI_DE (ex @seemoolab). Opinions are my own. https://t.co/GbL7GINJBo / @[email protected]Alex Gantman (@agains.. @againsthimself
2K Followers 351 Following Security defense. No wires. Disclaimers: Work at $QCOM. Opinions are mine.0xor0ne @0xor0ne
55K Followers 526 Following | CyberSecurity | Reverse Engineering | C and Rust | Exploit | Linux kernel | PhD | My Tweets, My Opinions :) |Alexander Tarasikov @astarasikov
3K Followers 3K Following Life, programming and electronics. *NIX,ARM,OS kernel,DSP,OpenGL,OCaml. Dream of working on GPU driver/HW or CV! Doing embedded security at a mobile CPU vendor.Jon Stewart @jonstewart
1.7M Followers 2 Followingpatate @patateQbool
610 Followers 288 FollowingChris Williams @HawaiiFive0day
632 Followers 603 Following President/Principal Security Researcher @TFP0Labs, consultant for @CorelliumHQvdehors @vdehors
980 Followers 228 FollowingRobert Graham 𝕏 @ErrataRob
66K Followers 2K Following Created (BlackICE,IPS,sidejacking,masscan). Doing (blog,code,cyber-rights,Internet-scanning). @[email protected]Crazy Clips @crazyclipsonly
3.2M Followers 178 Following Crazy clips posted daily. Unbelievable viral videos & more! Viewer discretion is advised.Kevin2600 @Kevin2600
10K Followers 104 FollowingTeslascope @teslascope
59K Followers 133 Following An elegant view of everything about your Tesla vehicle. We are the worldwide drivers' platform, the highest-rated vehicle companion, and always here to help. 🚘Azeria @Fox0x01
125K Followers 571 Following Sneaky bit flipper | CEO of @azeria_labs | Arm Assembly Princess | Trainer | Author of @BlueFoxBook |Synacktiv @Synacktiv
17K Followers 277 Following Offensive security company. Dojo of many ninjas. Red teaming, reverse engineering, vuln research, dev of security tools and incident response.Andrew D. Huberman, P.. @hubermanlab
1.3M Followers 1K Following Professor of Neurobiology & Ophthalmology at Stanford Medicine • Host of the Huberman Lab podcast • Focused on science & health research & public educationSam Curry @samwcyo
77K Followers 949 Following Hacker, bug bounty hunter. Run a blog to better explain web application security.David Weston (DWIZZZL.. @dwizzzleMSFT
25K Followers 1K Following Vice President, OS Security and Enterprise @Microsoft || @CISAgov Technical Advisory CommitteeGeorge Hotz 🌑 @realGeorgeHotz
248K Followers 174 Following President @comma_ai. Founder @__tinygrad__Buitengebieden @buitengebieden
2.8M Followers 74 Following Welcome to the positive side of 𝕏. I’m Sander from the Netherlands. All copyrights belong to their respective owners! DM for credits/removal/submission!Justin has left Twіt.. @justinschuh
12K Followers 485 Following You can find me at https://t.co/hc9lzviFS4 or as @justinschuh.com on Bluesky.Phil Venables @philvenables
12K Followers 694 Following Tweets about cybersecurity, resilience & enterprise risk - at scale. CISO - Google Cloud + 3 x CISO (25 yrs), Board Director, Chief Risk Officer Tweets=own.President Biden @POTUS
34.8M Followers 5 Following 46th President of the United States, husband to @FLOTUS, proud dad & pop. Tweets may be archived: https://t.co/HDhBZBkKpU Text me: (302) 404-0880Joe Biden @JoeBiden
38.0M Followers 46 Following Husband to @DrBiden, proud father and grandfather. Ready to finish the job for all Americans. Official account is @POTUS.Edouard Lafargue @elafargue
151 Followers 194 FollowingLesley Carhart @hacks4pancakes
168K Followers 7K Following ICS DFIR @dragosinc, martial artist, marksman, humanist, Lvl14 Neutral Good rogue, USAF Ret. Tweet *very serious* things about infosec. Thoughts mine. They/themYueqi Chen @Lewis_Chen_
682 Followers 476 Following Assistant Professor in CS @CUBoulder, #weirdmachine programmer and anti-programmerFermin J. Serna @fjserna
14K Followers 2K Following Databricks' CSO - Previously: Citrix's CISO, Semmle's CSO, Google's Head of Product Security, MSFT, entrepreneur. Real Madrid supporter. All opinions my own.Federico Bento @uid1000
992 Followers 69 FollowingDaniel Micay @DanielMicay
12K Followers 377 Following Security researcher/engineer working on mobile privacy/security. Founder of @GrapheneOS.Halvar Flake @halvarflake
44K Followers 3K Following I do math. And was once asked by R. Morris Sr. : "For whom?" @[email protected] At the moment, for noone.G @Grazfather
548 Followers 770 FollowingKostya Serebryany @kayseesee
4K Followers 526 Following Keeping C++ insanity at bay: AddressSanitizer, Memory Tagging. Fuzzing software and hardware. Views are my own. Tweets are not only about tech.green @greentheonly
74K Followers 0 Following I report what I see. If it's good, it's good; if it's bad, it's bad. Does not depend on me. Make them release more awesome stuff. Don't shoot the messenger.Scott @wolfson292
255 Followers 799 Following Product Security @tesla. Husband, father, girl dad. Home Automation enthusiast. SpaceX investor. My opinions are my own. KF4UXIAlex Stamos @alexstamos
98K Followers 2K Following You can find me at: https://t.co/Enct5hx8bS https://t.co/CuE5u72rhWJessie Frazelle @jessfraz
133K Followers 161 Following CEO @zoodotdev, 👩🏻💻 @oxidecomputer, 📝 @ACMQueuechrisrohlf @chrisrohlf
11K Followers 783 Following 🇺🇸 Waging algorithmic warfare since 2003. Software and Security Engineer. Non-Resident Research Fellow @CSETGeorgetown CyberAIRichard Zhu @RZ_fluorescence
6K Followers 31 FollowingJann Horn - jann@info.. @tehjh
17K Followers 235 Following occasional human borrow checker; works at Google Project Zero; personal account; mastodon: [email protected]Anders Fogh @anders_fogh
3K Followers 554 Following Don't for get the Jacobian. Opinions are mine. Interested in improving IT-Security. Intel employee. This is a personal account, opinions are mine.Mathias Payer @gannimo
8K Followers 373 Following Securitatis inquisitor and professor at @EPFL_en leading the #HexHive 🐝 group, focusing on system/software security. @[email protected] (he/him)Almost a year and a half since I posted this, and it’s more true than ever. It’s an especially lonely feeling when things seem to be going well. Feels like a dirty secret I’m hiding. Sure that bug/exploit was cool or whatever, but it’s the last one I’ll ever find!
Confirmed!!! The @Synacktiv team used a single integer overflow to exploit the #Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always. #Pwn2Own #P2OVancouver
Got a horrible draw for the upcoming #Pwn2Own, but still super excited to be competing for the first time. It’s always been a goal of mine ☺️
lol no one tell the e/acc fundamentalists, idealists, “will die on the hill of” about the real Dune story because if so they’d know in the events preceding the movie the world had AI & gave it up to make humans better & they need spice since they can’t use computers
New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021+ RAV4 Prime. icanhack.nl/blog/secoc-key… Research started all the way in 2022, but took many evenings of reverse engineering to get code execution. PoC: github.com/I-CAN-hack/sec…
Here we are! 🥷 Masters of pwn for the third time 🎉 Congratulations to all the ninjas involved! #Pwn2Own
If I've learned one thing working in security its that no one cares if all you do is point out problems. Come prepared with solutions or you're just making noise.
The details of our Tesla #pwn2own exploit chain are now public !
Slides of our latest talks during #GreHack23 and @codeblue_jp are now available on our website! synacktiv.com/ressources
Me: spends a crazy amount of money on orthopedic dog beds that are good for joints and hip dysplasia, scatters them all over house in his favorite spots blah blah blah Me: goes to find dog, where is dog Dog:
What I'd love to see is more security guidance on designing and building secure CI/CD envs rather than hardening (after the fact of the design). e.g. how to ensure builds and pipelines are isolated from each other so that a dev branch on one repo can't be used to move laterally?
🛡️ Defending CI/CD Environments 23 page PDF by @CISACyber and @NSAGov * Threats * Attack surface * Threat scenarios * Hardening steps For cloud CI/CD deployments media.defense.gov/2023/Jun/28/20…
@5aelo It's probably going to be accidentally enabled in a prod build at least once in Chrome's lifetime 😂
Many people told me that my talk was depressing. But I think that's only because I was taking about how dark everything is. Meanwhile I thought I gave an optimistic talk because I acknowledged the theoretical possibility of light existing. Maybe I should read less Russian lit.
@olofj Bet you it's a vendor provided kernel source for the SoC they've got, and there's no good way to upgrade it up and out to something newer and way way way better
7 year anniversary of SunShine, with most of our exploits still unpatched by @htc